SigmaHQ/rules/windows/builtin/win_net_ntlm_downgrade.yml

action: global
title: NetNTLM Downgrade Attack
id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
description: Detects NetNTLM downgrade attack
references:
    - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
author: Florian Roth, wagga
date: 2018/03/20
modified: 2021/06/27
tags:
    - attack.defense_evasion
    - attack.t1089          # an old one
    - attack.t1562.001
    - attack.t1112
detection:
    condition: 1 of them
falsepositives:
    - Unknown
level: critical
---
logsource:
    product: windows
    category: registry_event
detection:
    selection1:
        TargetObject|contains|all: 
            - 'SYSTEM\'
            - 'ControlSet'
            - '\Control\Lsa'
        TargetObject|endswith:
            - '\lmcompatibilitylevel'
            - '\NtlmMinClientSec'
            - '\RestrictSendingNTLMTraffic'
            
---
# Windows Security Eventlog: Process Creation with Full Command Line
logsource:
    product: windows
    service: security
    definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
detection:
    selection:
        EventID: 4657
        ObjectName|contains|all: 
            - '\REGISTRY\MACHINE\SYSTEM'
            - 'ControlSet'
            - '\Control\Lsa'
        ObjectValueName: 
            - 'LmCompatibilityLevel'
            - 'NtlmMinClientSec'
            - 'RestrictSendingNTLMTraffic'
    condition: selection
falsepositives:
    - Unknown
level: critical
Improved NetNTLM downgrade rule 2018-03-20 14:03:55 +00:00			`action: global`
Rule: NetNTLM Downgrade Attack https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks 2018-03-20 10:07:21 +00:00			`title: NetNTLM Downgrade Attack`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-24 23:09:17 +00:00			`description: Detects NetNTLM downgrade attack`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`references:`
Rule: NetNTLM Downgrade Attack https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks 2018-03-20 10:07:21 +00:00			`- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks`
Updated rules with modifiers instead of '*' and remove trailing '\\' 2021-06-27 12:51:29 +00:00			`author: Florian Roth, wagga`
Rule: NetNTLM Downgrade Attack https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks 2018-03-20 10:07:21 +00:00			`date: 2018/03/20`
Updated rules with modifiers instead of '*' and remove trailing '\\' 2021-06-27 12:51:29 +00:00			`modified: 2021/06/27`
Add tags to windows builtin rules 2018-07-24 05:50:32 +00:00			`tags:`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-24 23:09:17 +00:00			`- attack.defense_evasion`
			`- attack.t1089 # an old one`
			`- attack.t1562.001`
			`- attack.t1112`
Improved NetNTLM downgrade rule 2018-03-20 14:03:55 +00:00			`detection:`
			`condition: 1 of them`
			`falsepositives:`
			`- Unknown`
			`level: critical`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-24 23:09:17 +00:00			`---`
Rule: NetNTLM Downgrade Attack https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks 2018-03-20 10:07:21 +00:00			`logsource:`
			`product: windows`
Clean-up service: sysmon as it will be replaced by filling the category 2021-04-15 00:02:25 +00:00			`category: registry_event`
Rule: NetNTLM Downgrade Attack https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks 2018-03-20 10:07:21 +00:00			`detection:`
Improved NetNTLM downgrade rule 2018-03-20 14:03:55 +00:00			`selection1:`
Update win_net_ntlm_downgrade.yml 2020-10-28 00:59:49 +00:00			`TargetObject\|contains\|all:`
			`- 'SYSTEM\'`
			`- 'ControlSet'`
			`- '\Control\Lsa'`
			`TargetObject\|endswith:`
			`- '\lmcompatibilitylevel'`
			`- '\NtlmMinClientSec'`
			`- '\RestrictSendingNTLMTraffic'`

Improved NetNTLM downgrade rule 2018-03-20 14:03:55 +00:00			`---`
			`# Windows Security Eventlog: Process Creation with Full Command Line`
			`logsource:`
			`product: windows`
			`service: security`
Replace "logsource: description" with "definition" to match the specs 2018-11-15 06:00:06 +00:00			`definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'`
Improved NetNTLM downgrade rule 2018-03-20 14:03:55 +00:00			`detection:`
fix: rule 2021-02-24 12:44:13 +00:00			`selection:`
Improved NetNTLM downgrade rule 2018-03-20 14:03:55 +00:00			`EventID: 4657`
Updated rules with modifiers instead of '*' and remove trailing '\\' 2021-06-27 12:51:29 +00:00			`ObjectName\|contains\|all:`
			`- '\REGISTRY\MACHINE\SYSTEM'`
			`- 'ControlSet'`
			`- '\Control\Lsa'`
Improved NetNTLM downgrade rule 2018-03-20 14:03:55 +00:00			`ObjectValueName:`
			`- 'LmCompatibilityLevel'`
			`- 'NtlmMinClientSec'`
			`- 'RestrictSendingNTLMTraffic'`
fix: rule 2021-02-24 12:44:13 +00:00			`condition: selection`
fix: Sysmon NTLM downgrade attack - too many fps 2021-02-24 12:22:25 +00:00			`falsepositives:`
			`- Unknown`
Added missed changes in win_net_ntlm_downgrade and merged duplicate rules 2021-03-02 20:34:34 +00:00			`level: critical`